Pages

Sunday, June 10, 2012

I get mails almost on a daily basis from people asking me how to build a Wcf client to consume a service of framework X (usually axis or wsit but others as well). After getting hundreds of these mails in the recent years I conclude that there is a single most common setting which most people need. There are also common confusions that a lot of people stumble on in their first try. In this post I will present the common setting, and what can (and will) go wrong.

The mails I get usually start with this soap sample which people want wcf to send:

Optionally ssl is also used.

The wcf setting required here is a custom binding with an authentication mode of "mutualCertificate":

(where https may be used instead of http)

Confusion 1: A wrong soap version by you can cause the server to return different kinds of exceptions. Make sure the "messageVersion" property on the textEncodingElement fits your needs. In particular if no ws-addressing headers are used (To, ReplyTo, MessageID and Action) then use "Soap11" (as above) or "Soap12" without any ws-addressing version.

Confusion 2: The proxy may throw this exception:

The client certificate is not provided. Specify a client certificate in ClientCredentials.

That's an easy one, you must confiugure a client certificate which is pretty basic for a signing scenario. You can do it from code or config. Here is the config version:

Confusion 3: You still get the same error after you have defined the certificate. In this case make sure you have configured the endpoint to use the behavior:

Confusion 4: When I use mutualCertificate authentication mode I define my client certificate. I do not have a server certificate to define. My proxy is not sending anything and throws this error:

The service certificate is not provided for target 'http://localhost/MyWebServices/Services/SimpleService.asmx'. Specify a service certificate in ClientCredentials.

The issue is that mutualCertificate always requires you to define a server certificate. In some cases you may not need it. In such cases it is ok to define some dummy certificate as the server certificate, even can be the same certificate you use for the client:

Of course you may also do so from code.

Confusion 5: You may get this error:

"The X.509 certificate CN=WSE2QuickStartServer chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.\r\n"

This typically mean the server certificate you have defined is not trusted by your machine. In the case that you have defined a dummy server certificate (see confusion 3) or in other cases - at your risk and for testing purpose only - you can turn off this validation by setting certificateValidationMode to None.

Confusion 6: I am getting a good response from the server but the proxy throws this exception:

The incoming message was signed with a token which was different from what used to encrypt the body. This was not expected.

Congratulations, turns out you need to define a real server certificate anyway (so confusion 2 does not apply). You should get it from the service author. But if you don't there a nice trick to infer the certificate by extracting the value of the binary security token from the message and saving it to disk (in binary form) as alluded here.

Confusion 7: I am getting a good response from the server but the proxy throws this exception:

Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security.

This means the service is not signing the response even though you sent a signed request. In .Net 4+ you can turn off the secured response requirement by toggling the security channel in your custom binding:

Confusion 8: When I use mutualCertificate I see my proxy sends a message in a very different from what I need. In particular there is no signature but only encryption, something like this:

What you need to know is that by default messages will be signed AND encrypted, and moreover the encryption will also encrypt the signature and "hide" it from your eyes. The solution is to set the correct protection level on your contract:

btw while interoperating with some java stacks you will know you are in confusion #8 if you get this error:

Confusion 9: After applying the mitigation to confusion 7 the outgoing message is still not in the desired format. In particular the message is not signed by the binary token by a derived token, and there is a primary and a secondary signature instead of just one:

For all things interop wssecurity10 is your friend and wssecurity11 is the enemy. keep your friends close! Make sure the messageSecurityVersion attribute has a value that starts with wssecurity10:

Confusion 10: You get this error :

Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'localhost' but the remote endpoint provided DNS claim 'WSE2QuickStartServer'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'WSE2QuickStartServer' as the Identity property of EndpointAddress when creating channel proxy.

Confusion 11: You get a good response from the server but the proxy throws this error:

No Timestamp is available in security header to do replay detection

or this one:

The security header element ‘timestamp’ with ‘Timestamp-xxxx’ id must be signed.

These may happen when you send to the server a signed timestamp so wcf expects to get one back AND to have it signed. So either you do not get one back or it is not signed. For start try to set the includeTimestamp property on the "security" binding element to false. But this will not work if the server actually requires a timestamp. If it requires one but unsigned then write a custom encoder to you proxy and manually generate and push the timestamp header to the request. If the server requires a signed timestamp then your only hope is to set allow unsecured response to true (.net 4 only):

AND to strip out ANY remains of the "security" tag from the response (not just the timestamp) using a custom encoder. If WCF will see the security tag then it will be very defensive and try to validate it. Of course if the security tag which you removed contains some signature this means you will not be able to validate it, which is a shame. I'm not familiar with any better workaround at this moment, so I'm investigating a few directions.

Confusion 12: Ssl is used, and you try certificateOverTransport instead of mutualCertificate authentication mode on your custom binding. You may get away with the request, since it is similar, but once the response come back you may experience:

Cannot find a token authenticator for the 'System.IdentityModel.Tokens.X509SecurityToken' token type. Tokens of that type cannot be accepted according to current security settings.

What's going on here? certificateOverTransport assumes the client authenticates with a message level certificate, but the server authenticates with its transport ssl certificate. However a more common use case is that the server also authenticates with a message level certificate, in addition to its transport one. You could identify such scenario by seeing a signature element in the server response. This means you need a mutualCertificate authentication mode together with an https transport binding element:

Summary
When Wcf consumes third party services, the most common authenticationMode would be "mutualCertifiate". Make sure you tried all combinations of this setting before trying other settings. Of course if you are in a situation where mutualCertificate clearly does not apply (e.g. username authentication) then this is not relevant for you. But even when usernames are used they may still be in combination with a client certificate, in which case it would still make sense to SecurityBindingElement.CreateMutualCertificateBindingElement() for bootstrap and add the username as a supporting token.

I have tried with given configuration but getting "unsigned element body found". I have trace the output request but only one Reference element is generated instead of two. Also Uri in this reference element is not also proper.

I could not have a control on third party service side. But from client side I have tried out using custom binding. But the same error still I am getting.

Another thing, when I used Microsoft Service Trace Viewer for tracing, I am getting "Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security." error. For this I have tried with Confusion#8: enableUnsecuredResponse="true" but still same error.

the error you got makes a lot of sense - the server returns an unsecured soap fault (as seen in the sample you sent to my mail).the fault specifies that the problem is that your request does not encrypt the soap body. this is not related to the binding you use - it is related to the ProtectionLevel in reference.cs. See confusion 8 for more details.

I've a soap client accessing a routing service by passing in a certificate. I always receive "The client certificate is not provided" error. How do we pass certificate from a soap client. I've posted in msdn forum too.

But now getting "Cannot find a token authenticator for the System.IdentityModel.Tokens.UserNameSecurityToken token type. Tokens of that type cannot be accepted according to current security settings." error.

I am facing the same issue as Mitesh where my request is failing with error "unsigned element s:body found". I tried almost all the options you have suggested for custombinding but none of them are working. I see you are the only expert who can deal with such issues. I know its all magic of Client's app.config. Could you please advise what settings should I use in app.config? I have posted working SOAP UI request at http://stackoverflow.com/questions/13076456/how-to-consume-java-webservice-from-net-and-wcf

Thanks for the reply, Yaron. Maybe I can give you more details. I'm using a service reference to an Oracle EBS web service in VS 2012. Our test server is not running SSL, but the service requires UserName authentication, so I'm using the CUB.

I'm certain my app.config file is setup properly. It looks very similar to the example in the CUB solution.

I'm using Fiddler2 to watch my http traffic, and I get a 200 response from the server with a valid SOAP message for my query yet I get the exception, "Security processor was unable to find a security header in the message. This might be because the message is an unsecured fault or because there is a binding mismatch between the communicating parties. This can occur if the service is configured for security and the client is not using security."

Thanks for collating all such findings in one post, really appreciate.I am writing this comment to better understand a behavior happening in my service. I am using custom binding with following binding/behavior config on a service with ProtectionLevel = Sign:

Now the requests from the client work fine and both request and response are signed. However, the same set of configuration and endpoint works with a test client with following config:

I am not able to understand when the client config is not configured to use the actual client cert ('ClientCert123') for signing requests, instead it's using the service cert ('ServiceCert456') for same how is the service able to verify the signature and process the request? Shouldn't the service fail on requst verification as the client cert wasnt used to sign it?

But getting FailedCheck : failure in security check from Server. And on follow up they informed me that it requires only , which is signed Soap body reference.

Is there any way I can avoid WCF to signing the "Timestamp" (URI="#uuid-d1c26717-6465-417f-9c45-5cfbe9edd779-1") and a header node (URI="#_2") ?

I'm trying to find out if it can be done using custom binding settings in app.config, not successful yet. Thought of checking with you if at all possible to do this by a correct custom binding ? If not an option at all, Do you think I can do it by modifying request some way in my C# code ? (I tried to see the request by implementing IClientMessageInspector - that gives me request before WCF actually signing the message)

I really appreciate if you can suggest some way to make this work in WCF.

How can I specify a minimum byte size value that should be mtom optimized by wcf programtically or by config means. The purpose is to control, for instance , only byte size greater than 3000 should be mtom optimzed by wcf when sending an mtom request. Any thoughts?

This error is not related to WCF. In one of the username fields you have provided a value which the server does not expect. Try comparing your outgoing message with a sample working message from documentation.

But now I am unable to make the call from console application (where I added service reference). It is throwing exception "An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail.".

Please suggest me how I can provide UsernameToken and validate user by Username and Password.

I am able to successfully validate the user by Username and Password using wsHttpBinding but then in SOAP UI I don't have BinarySecurityToken. This tag I am getting with your way by using CustomBinding.

Hi Yaron, I'm developing a client to consume a web service written in java using web security, thanks to your post series I get it working now in my development environment. Now I have a problem, when i run the application in the customer's network i get this error messaje from the service:

org.jboss.ws.core.CommonSOAPFaultException: An internal error occurred WS-Security. See log for details

My first reaction was Fiddler and found that the SOAP message structure remains the same as the generated in my development environment. According to the network administrator for the proxy / fiewall has no restriction at all. With this facts I enabled tracing for the WCF client in my application but not further details appart for this erro rmessage.I have no clue What could be causing this error? (Hopefully) Do you have address this before?

Please mail me the SOAP your client sends (use Fiddler to get it) and a sample working SOAP. Also sent the serve response from fiddler. In all cases please include the http headers. If there is any special error in the server logs send it too.

Hi Yaron,I'm doing what I thought was a simple conversion from .NET 2 to .NET 4 framework. I hadn't changed any code other than my configuration for the framework change. My basicHttpBindings still work, but my custom bindings do not. I get an error from the java web service: SECU3757: Unknown exception while performing decryption: java.security.InvalidKeyException: Illegal key size.

When I check with the WS owner he says the data is coming through in a different format. Here is the difference:.NET 2 (successful request)

Hi Yaren, could you please also add Server side configuration and explain it. Because I want to test my client, but I am not sure If I am programming server side truly. If possible It would be better If you can share source code with us, your followers. Best Regards.

Hi Yaron,really thanks for the post...The error I got is{"The service certificate is not provided for target 'https://aa.bb.com/xtzt/bbbb/methodname'. Specify a service certificate in ClientCredentials."}as in your confusion #4 I added a certificate in my trusted root certification authority store... (I would like to add the site's ssl server certificate but i cannot add it to my stores I think) This time, I got the DNS error (confusion #10). I fix it by adding identity dns tags, this time I got

"The HTTP request was forbidden with client authentication scheme 'Anonymous'"...

This means that in addition (or instead?) of messgae security you also have transport security. Maybe you need user/pass in the http level by setting an httpsTransport with authenticationSchema attribute. You need to get a sample working request (including http headers) and see how it looks.

Hi YaronThanks for your post.I try to connect to a service(not our) using custombinding with mutualcertificate. Get "security processor was unable to find a security header.." I've changed enableUnsecuredResponse to true. The error has changed to "An error occurred when verifying security for the message". Tried to change ProtectionLevel - no difference. Please help. Thank you.

for this specific difference I think it depends in the certificate you use. can you try to use another certificate (even temporarily)? what soapui creates? I also think it is safe to change this value manually (e.g. via an encoder)

Just checking into say thanks. I had been trying for two days to get SoapUI to be able to send successfully to my WCF Service even though I had a WCF Client that could. I kept receiving "Signing without primary signature requires timestamp" from the soapUI calls and the only difference in XML was the Timestamp came first from the WCF client and last from soapUI. The securityHeaderLayout setting didn't do anything, but #9 on your post did as my messageSecurityVersion was WSSecurity11, switched it to WSSecurity10 and everything works great. Thanks again!

Hi Yaron,I'm try to consume a webservice that appears to be written in java and that requiert some element of WS-Security: signature, timestamp and username.I have created a x509 certificate to sign the request and I was provided with a username and a password to use with the requestI manage to make it work using SoapUI here is a link to the request capture using fiddler: http://pastebin.com/LbMp6nyG

The final goal is to consume this service in a .net web application, i've created a sample and try different configurationI have an error : "An error was discovered processing the header"here is the request send by the web application: http://pastebin.com/hLG0k5jNhere is the web.config configuration that I use: http://pastebin.com/9BECTEnT

The request is somehow similar to the soapui one but not the same, can you point me in the right direction?it seems that the .net call does not send the username and password even if I set them in the code like this: GererContratTelesurveillanceClient tls = new GererContratTelesurveillanceClient(); tls.ClientCredentials.UserName.UserName = "tlsprows"; tls.ClientCredentials.UserName.Password = "123";

Hi Pierrick, in order to add a username token to a mutualcertificate binding, either use something like this https://gist.github.com/yaronn/7894760 (might need to fine tune) or add the username tags in a message inspector (they will not be signed but you do not need it anyway).

Hi, I've tried to manualy set up the binding using your link https://gist.github.com/yaronn/7894760 but I have a problem with the line:new ServiceReference1.SimpleServiceSoapClient(b, new EndpointAddress(new Uri("https://www.bankhapoalim.co.il/"), new DnsEndpointIdentity("WSE2QuickStartServer"), new AddressHeaderCollection()));

What is this class? my service class generated after adding the service reference in the web application does not have a constructor with that many parameters.

a other question is why setting up the username and password using ClientCredentials is not working with mutualcertificate? (no node in the soap header is created)

user/pass + client certificate will not work declaratively with xml binding. you can create them via code like I sent or with mutualcertificate I beleive. This is a default ctor for a service proxy, maybe it's in partial class in anotehr file or in a base class, which ctor you have?

there should be a protectionOrder setting on the security channel of a custom binding but it that does not help the only way is to implement a custom encoder and change the order of the generated message.

Could any one help me in setting the values security headers for the same webservice through JAVA, it seems the code above is for .NET, WHat are the classes or api required to setup the SecurityHeaderType values,

I need to set up for below XML. i am attaching the INPUTXML please share the JAVA code with Signed parameters, for X509 cetificate.